Chris Conn – my little corner of RFC 2616

Main menu

Post navigation

RANCID and IOS 15.2 – blank config and how to work around newer file privileges

In or around IOS 15.2 apparently a privilege structural change was made that breaks non-priv-15 users from being able to copy the running config, useful for RANCID and other tools. And either the RANCID/Oxidized community simply uses privilege 15 users in their configs, which I refuse to do on priciple, or my google-fu is poor because I have not found this info in any explicit form.

In any case, the symptom of the typical config allowing to download a running config without having level-15 privileges on Cisco IOS has always been documented as:

the above in IOS <= 15.1 was always enough to allow user “rancidbackup” to issue a “show running-config view full” and the CLI would output the current configuration. Under IOS 15.2, behaviour appears to have changed. Some folks receive a “permission denied” error while others, such as my experience, a simple empty config would be output. As an example:

The first, is to cave and allow the rancid backup user to obtain level-15 privileges upon login. The academic risk of compromise by this admin-level user can be mitigated by limiting the IP addresses used for login via ACL: example:

By adding access-class to the username definition, it is possible to avoid this user being used from other sources. This might even be recommendable for any scenario where scripting/tools are used for access to the device. However, this method still requires that user to have admin level-15 privileges.

In our case, by issuing “file privilege 10”, we are able to see via “show running-config view full” (and not just show running-config) the info we seek to backup with our tool, in this case RANCID (as you can see, “show running config” is useless but “show running-config view full” outputs what we need):

I am still researching secondary implications from setting “file privilege” to anything other than level-15. I haven’t found a way, using a privilege 10 user, to modify/delete the files so use at your own risk (!). But combining the two above mecanisms I believe provides a sufficient means to allow non-privileged, read-only access to the configuration for use with config management and other scripting tools.

Happy to help. Hopefully there are no dire security issues with changing the file permissions :/ Still trying to document that detail and not finding much with regards to why this architectural change in IOS was made.